pass secret envs to service container

bumps to fork of Buildkit for SecretEnv support. associated PR: moby/buildkit#3957 Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
vito · Jul 18, 2023 · e780249 · e780249
1 parent 85f896e
commit e780249
Show file tree

Hide file tree

Showing 3 changed files with 1,335 additions and 513 deletions.
diff --git a/core/service.go b/core/service.go
@@ -209,7 +209,6 @@ func (svc *Service) Start(ctx context.Context, gw bkgw.Client, progSock *Socket)
 	cfg := ctr.Config
 
 	env := []string{}
-
 	for _, e := range cfg.Env {
 		// strip out any env that are meant for internal use only, to prevent
 		// manually setting them
@@ -221,22 +220,30 @@ func (svc *Service) Start(ctx context.Context, gw bkgw.Client, progSock *Socket)
 		}
 	}
 
+	secretEnv := []*pb.SecretEnv{}
 	secretsToScrub := SecretToScrubInfo{}
-	for i, secret := range ctr.Secrets {
+	for i, ctrSecret := range ctr.Secrets {
 		switch {
-		case secret.EnvName != "":
-			secretsToScrub.Envs = append(secretsToScrub.Envs, secret.EnvName)
-			env = append(env, secret.EnvName+"=TODO") // XXX(vito): set the plaintext value
-		case secret.MountPath != "":
-			secretsToScrub.Files = append(secretsToScrub.Files, secret.MountPath)
+		case ctrSecret.EnvName != "":
+			secretsToScrub.Envs = append(secretsToScrub.Envs, ctrSecret.EnvName)
+			secret, err := ctrSecret.Secret.ToSecret()
+			if err != nil {
+				return nil, err
+			}
+			secretEnv = append(secretEnv, &pb.SecretEnv{
+				ID:   secret.Name,
+				Name: ctrSecret.EnvName,
+			})
+		case ctrSecret.MountPath != "":
+			secretsToScrub.Files = append(secretsToScrub.Files, ctrSecret.MountPath)
 			opt := &pb.SecretOpt{}
-			if secret.Owner != nil {
-				opt.Uid = uint32(secret.Owner.UID)
-				opt.Gid = uint32(secret.Owner.UID)
+			if ctrSecret.Owner != nil {
+				opt.Uid = uint32(ctrSecret.Owner.UID)
+				opt.Gid = uint32(ctrSecret.Owner.UID)
 				opt.Mode = 0o400 // preserve default
 			}
 			mounts = append(mounts, bkgw.Mount{
-				Dest:      secret.MountPath,
+				Dest:      ctrSecret.MountPath,
 				MountType: pb.MountType_SECRET,
 				SecretOpt: opt,
 			})
@@ -398,6 +405,7 @@ func (svc *Service) Start(ctx context.Context, gw bkgw.Client, progSock *Socket)
 	svcProc, err := gc.Start(ctx, bkgw.StartRequest{
 		Args:         args,
 		Env:          env,
+		SecretEnv:    secretEnv,
 		User:         cfg.User,
 		Cwd:          cfg.WorkingDir,
 		Tty:          false,

diff --git a/go.mod b/go.mod
@@ -172,8 +172,6 @@ require (
 	github.com/moby/sys/mount v0.3.3 // indirect
 	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.6.1 // indirect
-	github.com/onsi/gomega v1.24.2 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
@@ -225,8 +223,8 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/containerd/ttrpc v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v24.0.1+incompatible
-	github.com/docker/docker v24.0.1+incompatible
+	github.com/docker/cli v24.0.2+incompatible
+	github.com/docker/docker v24.0.2+incompatible
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -265,3 +263,5 @@ require (
 	google.golang.org/protobuf v1.30.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+replace github.com/moby/buildkit => github.com/vito/buildkit v0.10.1-0.20230618015906-18eecc789079